A regra do fail2ban não funciona quando a solicitação é do ataque de força bruta

2

Eu tenho uma situação em que alguns IPs da Moldávia tentam todos os dias descobrir minhas credenciais básicas de autenticação com algum tipo de ataque de força bruta.

No entanto, tenho uma regra com o fail2ban que deve evitar essa situação. E funciona quando eu tento com uma VPN.

Exemplo de solicitação que aciona o fail2ban após três tentativas. Minhas solicitações

2016/07/14 15:10:54 [error] 13937#0: *55700 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 146.185.31.214, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt"

O problema é que, a solicitação do IP do hacker não acionará o fail2ban e não sei por quê. A única diferença é o referrer: , como você pode ver.

2016/07/14 01:54:31 [error] 13913#0: *42558 user "engineer" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/
/etc/fail2ban/filter.d/nginx-http-auth.conf

[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =
[nginx-http-auth]

enabled = true
filter  = nginx-http-auth
port    = http,https
logpath = /usr/local/nginx/localhost-error.log
maxretry = 3

Então, a questão é por que minhas solicitações acionam a regra e as solicitações do invasor não?

Trecho do log:

2016/07/14 01:54:27 [error] 13917#0: *42529 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost,  request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:27 [error] 13917#0: *42530 user "mts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42531 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42532 user "telecomadmin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42533 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42534 user "mgts" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42535 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:28 [error] 13917#0: *42536 user "admin" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
2016/07/14 01:54:29 [error] 13917#0: *42539 user "kyivstar" was not found in "/usr/local/nginx/.htpasswd", client: 194.28.112.51, server: localhost, request: "GET / HTTP/1.1", host: "www.mysite.pt", referrer: "http://www.mysite.pt/"
    
por Fel 14.07.2016 / 16:33

1 resposta

1

Não tenho certeza se o seguinte é muito genérico para você (em caso afirmativo, poste um comentário de acordo com isso), mas o regex fornecido não corresponde ao valor host: ... do log gerado pelo invasor, especificamente o / lá dentro.

Você pode experimentar isso:

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: ".*"$
    
por 14.07.2016 / 21:38